Stan A. Einstein wrote:On my reading Article 6.1(f) would seem to say that a third party with a legitimate interest can be given the information subject to the proviso of proportionality.
That being so trust members being electors can be identified as such. Not being proportional would entail giving out information such as criminal convictions.
Which is why, as I suspected, Newport County can list the names of its employees in the programme.
I will review it in due course and look forward to any other, informed opinions.
The proportionality aspect of Article 6.1(f) (which refers to the proportionality between the interests of the data subject and the legitimate interests pursued by a third party) only comes into play after a legitimate interest has been established. In order to establish a legitimate interest, the controller must consider whether the data subject could reasonably expect their personal data to be processed in this way at the time it was collected and in the context it was collected.
If a prospective director pursued a legitimate interest in my personal data collected by the Trust many years ago in order to canvas me in relation to trust elections, the data controller would first need to consider whether I would have reasonably expected this when the information was collected. If I recall correctly, the information held on me by the Trust probably flowed through from my membership of Lifeline under the previous incarnation of the club. The data controller would have to consider whether when I when I gave up that information I would have reasonably expected my information collected in the context of joining Lifeline to be given to a prospective candidate for Trust elections some 30+ years later. That's just me, the circumstances of data collection for the other 1500(ish) members will have occurred under a number of different scenarios and then you have to consider the extra protection given to members under the age of 18.
Next comes the test of necessity. Even if a legitimate interest were to be established, it has to be considered whether processing the data in this way is necessary or whether there are other, less intrusive, ways of fulfilling the legitimate interest.
Only then does proportionality come into play and the controller needs to consider whether the third party's legitimate interest is overridden by the fundamental rights of the data subject.